Active Directory Design and Security Concepts - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

user wants to access resources in a domain that's several referrals away. Fortunately, there's a

solution to this problem in the form of shortcut trusts.

Shortcut Trusts A shortcut trust is configured manually between domains to bypass the

normal referral process. Figure 4-15 shows the same forest as Figure 4-14 but with a manually

configured two-way shortcut trust between R&D.US.coolgadgets.com and Asia.niftytools.com.

Coolgadgets.com tree

Coolgadgets.com

(forest root)

Niftytools.com tree

Niftytools.com

US.coolgadgets.com

UK.coolgadgets.com

Asia.niftytools.com

Americas.niftytools.com

R&D.US.coolgadgets.com

Two-way

shortcut trust

Figure 4-15

A two-way shortcut trust

Shortcut trusts are transitive and can be configured as one-way or two-way trusts

between domains in the same forest. Generally, they're configured when user accounts often

need to access resources in domains that are several referrals away. If the Active Directory

design includes multiple forests, older Windows OSs, or non-Windows OSs in which

resources must be shared, additional trust options are available: forest trusts, external trusts,

and realm trusts.

Forest Trusts A forest trust provides a one-way or two-way transitive trust between forests

that allows security principals in one forest to access resources in any domain in another forest. It's

created between the forest root domains of two Windows Server 2008 or Windows Server 2003

forests. Forest trusts aren't possible in Windows 2000 forests. A forest trust is transitive to the

extent that all domains in one forest trust all domains in the other forest. However, the trust isn't

transitive from one forest to another. For example, if a forest trust is created between Forest A and

Forest B, all domains in Forest A trust all domains in Forest B. If there's a third forest, Forest C,

and Forest B trusts Forest C, a trust relationship isn't established automatically between Forest A

and Forest C. A separate trust must be configured manually between these two forests.

Search WWH ::

Custom Search

Home